October 2, 2014

I have spent the past few years researching the emerging field of 3D Printing. I presented on the topic at a NYS legislative committee roundtable. I warned at the annual meetings of both Academy of Criminal Justice Science and the American Society of Criminology that within the next 1-3 years, a viable metallic printing solution will become available. I predicted that once it does, chaos will follow. The ability to print full metallic small weapons and parts of larger weapons from home is a very dangerous ability for anyone to have. These weapons would not have serial numbers and would be untraceable.

I have been warning about it for 3 years… and now that has finally arrived.

Dubbed the “Ghost Gunner” this $1,200 device takes solid aluminum blocks and using a technology called computer-numerically-controlled milling, gradually grinds away at a solid block of aluminum until only the design is left. The process is completely computer controlled. The user just inputs the design (weapons schematics are available online) inserts a block of Aluminum and “hits” go. Many hours later a gun part made of solid aluminum emerges.

This technology has been used for years in iPhone and other electronics manufacturing. However, for the first time, the technology is being made affordable enough for home use.

Computer-numerically-controlled mills can make very dangerous objects. Now that they are being sold for home use manufacturing weapons without serial numbers has become easy. It is my belief that this type of technology is dangerous and should be regulated at both the Federal and State level.

One option could be to require federal registration for sale or ownership. Another policy option could require licensure for these devices.

I believe Congress and the States should pass legislation categorizing this device and institute legislation to keep these devices from being misused on a large scale.

There is not much time before thousands of these printers will be shipped around America.

A possible scenario to leave you with: a criminal prints out a functioning small firearm and uses it to kill someone. The criminal can just put the firearm back in the machine that created it. The machine could then turn the murder weapon to dust.

Adam Scott Wandt, J.D., M.P.A., is an Assistant Professor of Public Policy at John Jay College of Criminal Justice, where he serves on both the Graduate faculty of the Digital Forensics and Cyber Security program and the Masters of Public Administration in Inspection and Oversight program. Professor Wandt is an Attorney and Counselor-at-Law in the State of New York.

Media requests on this issue should be sent to the attention of apiyapinansook@jjay.cuny.edu with “Ghost Gunner” clearly identified in the subject line.

September 16, 2014

As a Professor, attorney, and technologist, I deliver many academic lectures at John Jay College of Criminal Justice, lecture at conferences to professional organizations, and train law enforcement around the country. In 2012, I began warning of FinFisher, a German-based company (previously U.K.-based) that produces and sells computer intrusion systems, including remote monitoring solutions, and had recently developed the ultimate spyware for smartphones and computers.

Back then, details of FinFisher and its software were not publicly available. The company is secretive as its clients are government intelligence agencies. Some of FinFisher’s clients include nations with poor records on human rights, personal liberties, and privacy, including Mongolia, Pakistan, Vietnam, Nigeria, and Singapore. FinFisher has also reportedly sold software to intelligence communities in South Africa, Australia, Belgium, Slovakia, and the Netherlands.

In 2012, there was little information publicly available as to the full capabilities and reach of FinFisher’s software products. However, since then, information has slowly leaked out through WikiLeaks and other reputable sources. Today, FinFisher is known to produce the most powerful commercial weaponized surveillance malware software packages on the planet.

Two products of significance are FinSpy PC (computer spyware) and FinFisher Relay (smartphone spyware), which when installed grant the ability to intercept all files/documents and communications, such as those over Skype, email, and even video and audio through the webcam and microphone. These two software products can be remotely “pushed” (installed without the user’s knowledge or actions via a Trojan Horse or other method) to any computer or smartphone. This includes OS X, Windows and Linux computers, as well as Android, iOS, BlackBerry, Symbian, and Windows mobile devices. Users of these devices do not have to be anywhere near the vicinity of the person installing the malware. Furthermore, it is nearly impossible to identify that the malware has been installed without conducting a deep forensic analysis.

Disturbingly, researchers at citizenlab.org published evidence and reports showing the use of FinSpy PC and FinFisher Relay against journalists, activists, and political non-desirables around the world by government intelligence agencies. But at least the software was only available to international government intelligence agencies and generally kept out of the hands of cyber criminals… until now.

In 2013, during a presentation to the United States Association of Inspectors’ General, I warned that it was only a matter of time until FinFisher’s software would leak out on the web, becoming accessible to cyber criminals and others with malicious intent.

That day has arrived.

Yesterday, on September 15, 2014, Julian Assange, WikiLeaks Editor-in-Chief, allowed both FinSpy PC and FinFisher Relay to be openly published on WikiLeaks.org. In other words, as of yesterday, millions of cyber criminals around the world have access to a weaponized surveillance malware package that can be installed with very little effort, giving access to almost all the data on a user’s computer or smartphone.

Within minutes of the site going live, I received a barrage of communications via phone, email, Twitter, and text message from students, law enforcement, and researchers around the world. Most people just wanted to talk about the release of the software, while others asked how long it would take me to download and analyze the software.

Before lunchtime, my lab at John Jay College of Criminal Justice (The Advanced Research Domain for Information Security in Public Policy) had downloaded all available software and documentation. While my team and I obviously cannot deploy the software “in the wild,” we are able to analyze its code to determine exactly how virulent the software really is. We will be devoting a significant amount to time in the near future to analyze this threat and report our findings.

There is a glimpse of bright light shining through the murky water… Julian Assange and WikiLeaks did not release this software for cyber criminals to obtain and use, although it will be an unintended result. Their primary goal was to allow security researchers to analyze the code to come up with methods to protect us all (the public). While we are all at risk today, you can be sure that future software updates from Apple, Google, and Microsoft will contain significant security improvements rendering this software obsolete. That is, of course, until FinFisher updates the code within their products, and the cycle starts over again…

Adam Scott Wandt, J.D., M.P.A., is an Assistant Professor of Public Policy at John Jay College of Criminal Justice, where he serves on both the Graduate faculty of the Digital Forensics and Cyber Security program and the Masters of Public Administration in Inspection and Oversight program. Professor Wandt is an Attorney and Counselor-at-Law in the State of New York.

Media requests on this issue should be sent to the attention of apiyapinansook@jjay.cuny.edu with FinFisher clearly identified in the subject line.

August 27, 2014

When it comes to smartphone security, there are several “best practices” you can take to protect your data. First, be sure to always update your smartphone to the latest version of the operating system. This will ensure your smartphone receives important security updates that will help keep your data safe. Second, always use a password, even if you think you do not need one. Using a password tells the smartphone you want to keep the information safe, and most smartphones will actually handle your information/data differently than if you do not set up a password. Third, Android users should install anti-virus software. While iPhone users do not need to install anti-virus software, it is an absolutely necessity for Android users. Android users can download one of several free anti-virus programs from the Google Play store. Android users should also enable phone encryption, if supported by the phone model, which can be accessed in the “settings” menu. Android users should also make sure “USB Debugging” is disabled in the settings menu.

Finally, there is a five-step process you should engage in when you are ready to dispose of your smartphone. You should use this process no matter your method of disposal, whether you are disposing of your smartphone through a recycling program, gifting it to a friend, or selling it to someone through gazelle or e-bay, etc. Following this process will minimize the risk that others will be able to recover information/data after you wipe it.

Instructions for resetting Android: Varies by phone and provider. Look for “reset phone” or “reset phone to factory default” under the settings menu.

(2) Set the smartphone up again in order to access the App store (iPhone) or Google Play store (Android).

(3) Download and run a secure file shredder that will forensically wipe information from the device. I recommend the file shredder contained in a free secure communications application called Wickr. You can download Wickr from the App store (iPhone) or Google Play store (Android). Once installed, access “Secure Shredder” from the settings menu in Wickr and click “start.”

(4) Reset the phone again following the directions in step 1.

(5) Remove and keep SIM and MicroSD Cards.

While no method can absolutely guarantee your information/data is wiped completely from the phone, this proven method is a proven best practice to ensure that you keep yourself, family, friends, and co-workers safe.

March 24, 2014

In this unboxing we will take a look at the new Google Nexus 7 by Asus. This is the second generation Nexus 7 which was released with version 4.3 of Android Operation System. The Nexus 7 is an almost 8 inch tablet and is pretty light weight for it’s size at about 12 oz; it also comes with a 1280×800 pixel resolution screen. The Nexus has been praised for it’s price, processing, and hardware build. The tablet was criticized for a lack of rear-facing camera, and lack of expandable storage. This video goes through the unboxing of the tablet, I will release a review video soon.

February 24, 2014

I first began teaching as an Adjunct in January 2005. I teach graduate school students who often work part- or full-time, have families and other responsibilities, and arrive to a 6 PM evening class tired after a full day of work or other activities. From the beginning, my standard policy was to treat my students to pizza or donuts once or twice a semester. I did this because I knew my students enjoyed it and appreciated it. Also, students seemed more attentive and likely to participate on the days I brought snacks.

Students always thankfully gobbled up every last bite. Most students were excited if there was enough for them to have two or even three slices of pizza, or two or three donuts. Over time, this changed. After a few semesters, I started to have leftovers. Students were taking less (only one slice of pizza or one donut), and some students would not take anything at all. Then, in fall 2013, I brought two dozen Dunkin’ Donuts to class one day. No one ate anything. Not one.

I asked the class why I had a full box of donuts left. Was is that it was too late for donuts? Would they prefer Krispy Kreme? Would they prefer ice cream? To my shock, the unanimous response was quite simple… they wanted healthy treats, like fruit. This was a radical shift from when I first started teaching nearly a decade ago.

Could it really be that over the past decade students were eating healthier and making healthier choices? I was skeptical, so I decided to do an experiment. Later that semester I brought to the same class one box of a dozen Dunkin’ Donuts and one bowl of assorted fruit (bananas, pears, oranges, and an assortment of different types of apples). To my surprise, the students did make the healthier choice. Some students even took more than one piece of fruit. I still remember seeing three apple cores on the desk of one student. In the end, not a single donut was eaten; Every piece of fruit was gone.

The only request the students had for future “fruitings” were some paper towels or napkins. I had two requests myself. First, students must clean up after themselves and not leave behind a mess. Second, I asked for volunteers to pick up the fruit on days my schedule made it difficult to do it myself.

Starting this semester, spring 2014, I implemented a new policy which is made easy by the fact that I only teach one traditional in-class course this semester with about 18 students. Every class I bring two bowls of fruit – a colander with apples and pears (I wash them before class), and a bowl of bananas and oranges. At almost every class session so far, every piece of fruit has been eaten.

I am quite amazed at the response less than $20 worth of fruit has on a graduate class that meets once a week from 6-8 PM. The students enjoy the evening pick-me-up so much that when I am very busy, they even volunteer to pick up the fruit, a position we have nicknamed the “fruit fetcher.” At the beginning of class students proudly declare, “I am the fruit fetcher and this week I have fetched your fruit.” (Okay, maybe that was paraphrased).

Bringing fruit to class may seem like a simple gesture, but really it is one way of letting my students know that I truly care about their preferences, well-being, and success. If for less than $20 a week some fruit will help my students have a more productive class session and thus help them succeed, then I am more than happy to help.

October 22, 2013

With Apple’s announcement and release of OS X 10.9 Mavericks, many of you will want to perform a clean install by formatting your existing hard drive and starting from scratch. This brand new installation of the operating system will give you the look and feel of a new computer. Since Apple and the App Store do not natively support this, you will have to create a USB installer to do so. However, the method of creating a USB installer is slightly different than with previous versions of OS X. An additional benefit of creating a USB installer is that you won’t have to download the installer multiple times, if you own multiple Macs.

As with previous versions of OSX, you will need an 8 GB flash drive and the ability to download the installer (OS) from the App Store. I have created a simple step-by-step video on YouTube to help you through the process.

July 11, 2013

I have had some major issues with the Equinox gym at columbus circle regarding billing and cancelation of membership. I feel their boilerplate policies are highly unjust and abusive. I am looking for people who may have suffered financial injury as a result of what I feel are unfair billing or cancelation practices. My goal is to obtain class action status in New York Supreme. Please contact me if you think you qualify. I will post updates here as things progress.

It is more than just a little annoying that Apple won’t sell OS X 10.8 Mountain Lion on physical media. Only allowing download via the App store has its limitations for power users or IT shops. The solution is simple… create a MAC OS X 10.8 Mountain Lion Install USB Flash Drive. You can then use the USB drive to install / reinstall OS X as often as you want.

April 26, 2013

Most people living in Manhattan do not own cars. The main methods of transportation are subways, buses, and cabs. If you are a regular taxi rider like me, you know that hailing a cab may be quick and simple, or a long and miserable process, depending on your location and time of day. For example, trying to hail a cab near the Empire State Building at 5 PM on a Friday is nearly impossible. On the other hand, near Columbus Circle on a Saturday evening, you can’t swing a Fendi purse without knocking into a cab.

As a techie and a frequent taxi rider, I was very excited to find out about the Hailo (https://www.hailocab.com) application launching in New York City. Hailo is a free smartphone app that can be used to hail licensed taxis. It was launched in November 2011 and is available in London, Dublin, Toronto, Chicago, and Boston. Beta testing for New York started today, and the app is expected to expand shortly to Tokyo, Washington D.C., Cork, Madrid, and Barcelona.

Being that I carry my iPad Mini with me everywhere and take several cab rides a week, I was excited to try this new app and applied for their Beta testing program. Today (Friday, April 26, 2013) I was notified that I was approved to be a Hail-O Beta Tester. I eagerly downloaded the application and went outside to try it out. Did I make it to the Shake Shack? … You will have to watch the video to find out.

April 17, 2013

Americans tend think of hacking groups like Anonymous and 4Chan as mischievous criminals who cause damage and cost corporations and governments millions upon millions of dollars.

But occasionally the views of these groups align with popular opinion.

In response to the explosions at the Boston Marathon, online discussion forums are abuzz with the story that the global hacking group 4Chan took to the Internet to conduct their own cyber investigation. 4Chan reportedly requested assistance from the public and collected scores of photographs, a technique called crowd sourcing.

4Chan painstakingly analyzed the photos and identified several individuals who may have been involved with the bombing.

A website has been created (http://imgur.com/a/sUrnA) with annotated photographs showing the suspects at different points in time. Two photographs are annotated “Suspect #1” and “Suspect #2.” The suspects can be seen with and without two backpacks that may have been used to carry the bombs. A third suspect carries a duffel bag. Several other suspects are also identified. The photographs and evidence are clearly presented to the public.

This type of crowd sourced criminal investigation is a fairly new activity for hacker groups to engage in. What are the pros and cons of these activities?

PROS:

Taking initiative to increase public safety.

Conducting a public and transparent investigation.

Collecting evidence that may assist law enforcement.

Looking out for Americans.

CONS:

May be considered inappropriate or illegal interference with a federal investigation.

Alerting and outing possible suspects could cause problems for law enforcement.

Releasing evidence before the government deems it appropriate may be considered a problem for national security.

What if these people are innocent? What about violent vigilantly responses?

What if images are being doctored?

One final thought: Looking at these photographs, I noticed that some of these people look like special ops, not terrorists. Two of the suspects are wearing tactical pants and the backpacks possibly used to carry the bombs look like tactical gear. Did 4Chan simply identify undercover law enforcement or military, not terrorists?

Perhaps these photographs leave more questions unanswered than answered. But one thing is for sure… hacker groups engaging in crowd sourced criminal investigations is an interesting behavior that raises new ethical and legal issues.

Take a look at this archive of 4Chan’s photo investigation work (http://imgur.com/a/sUrnA) and tell me what you think in the comments below.

February 21, 2013

I am pleased to announce the launch of sociopolitical.org, what I believe is the Internet’s most complete and easily accessible data set of the social media accounts of elected members of the U.S. Congress.

Sociopolitical.org allows the public to search by representative name or by state, and receive hyperlinks to representatives’ official accounts. The site contains a dynamic map and search features. In addition, we have created a social media index score which rates representatives based on the number of social media websites utilized.

We hope to obtain funding to expand the project to include the ability for users to type in their home address and have a message formatted for Twitter or Facebook automatically tagging the users’ representatives.